By Stephen McGrady
Principal
As I discussed in my article on the difference between Business Continuity Planning (BCP) and Disaster Recovery (DR) planning, Business Continuity Planning is about the operations side of disaster preparedness. How will you keep the business running after disaster strikes?
When helping organizations address their Business Continuity Planning needs, CIO Professional Services uses a four-step approach: conduct a Business Impact Assessment, get Governance mechanisms defined and approved, prepare the team to handle Crisis Management, and create the Emergency Operating Plans (EOPs) for highly-impacted departments. Here’s an overview of how this works…
Step #1: Conduct a Business Impact Assessment
Before you can create a Business Continuity Plan you need to have a clear picture of how different areas of the business might be affected by a disaster, and what the impact of this might be on the company’s bottom line.
For each of the major processes or areas in the business (such as Accounting, Sales, Manufacturing, etc.) you need to ask people in that part of the organization what would happen if a particular function could not be performed for 24 hours, 3 days, 1 week, 2 weeks, 1 month, etc. Your goal is to try to determine which functions you can live without for a few days, and which would immediately bring down the company’s ability to operate. For functions that are not immediately necessary, how long would it take before their loss caused serious problems?
Just as importantly, what would be the impact on the business if that function could not be performed? Quantifying this impact in dollars for all functions will help you determine your risk priorities, recovery point/recovery time objectives, and the appropriate investment to make to mitigate those risks or protect those assets.
Step #2: Get Governance in Place
In the context of Business Continuity Planning, one of the most important aspects of Governance is the pre-planned delegation of authority for overriding normal operating procedures in an emergency.
You should have a pre-planned waiver of normal business practices to be activated in the event of an emergency, and a method for invoking that procedure. For example: “Two officers on the Executive Committee must confer, agree and jointly declare an emergency. Once they do, the following people are each authorized to spend money to mitigate the disaster and/or maintain business operations.”
Why is this so important? Say you have business practices in place stating that only the President can sign checks for over $10,000, and no one can issue a purchase order unless it goes through your normal accounts payable procedures. In an emergency the President may not be available and your entire accounts payable system may be down. You need to be able to waive these things so that someone can take immediate action. A manager needs to know if, for example, she has the authority to use her credit card to buy supplies, or to call a structural engineer and ask them to “get over here now regardless of the cost.”
Other Governance issues to address include:
- Controlling who talks to the press, government and public safety agencies
- Communication trees
- How communications with employees and their families are conducted
Step #3: Have Crisis Management Training
If a crisis should hit, things will go much more smoothly if you have a team of mid- to senior-level management people in place who have had some training on how to respond. CIO Professional Services provides this training, including running scenarios and simulations to prepare the crisis management team to function efficiently.
For example, I recently completed a “table top” training exercise with the senior management team at a semiconductor and IP product organization in Silicon Valley. What would happen if their city was hit by a major earthquake? We assumed that as a result of this natural disaster the power would go out; the building would be closed until engineers could evaluate its structural integrity; people wouldn’t be able to get to work because bridges, roads and public transportation would be out of commission; and more.
Our table-top simulation used a slide deck. Every slide had a digital clock and a statement about the latest news, such as “It’s now 11:02 and XYZ just happened. What do you do?” Then the next slide said, “It’s now 11:05 and you just got this update from the Fire Department. What do you do?” And so forth.
For this type of training exercise we’ve found that it’s not actually necessary to shut down the systems, pay actors to pretend they’re injured, or anything like that. You can learn quite a bit by having 30 people in a conference room walk through a scenario and be hit with things they hadn’t thought of. For example, some of the things that this group realized they had never addressed include:
- If we have to evacuate the building, where would the Crisis Management Team meet? Having a designated place, such as in the parking lot (assuming it’s not a parking structure that may become unsafe as a result of the disaster!) is a good idea.
- How will we communicate if our cell phones don’t work and the internet is down? It may be worthwhile to invest in emergency radios for certain people, such as those in building services.
- If the building is uninhabitable, how will we let our workers know where to go? You may want to invest in an employee notification system that can blast messages out to employees, vendors and multiple stake holders on various communication channels. We’ve worked with some systems that do a great job with this.
Step #4: Create the Emergency Operating Plan(s)
Using the information gained in steps 1 and 3, as well as general knowledge of the business, create a Plan for each department that will mitigate risks, protect assets and enable the business to continue operations after a disaster.
For example, Accounting should have an EOP that allows them to meet payroll and pay vendors. Manufacturing needs EOPs for meeting (possibly reduced) production quotas and allocating production to customers. Human Resources needs plans to assist employees and their families who are displaced in a disaster, and are therefore unable to report to or concentrate on work.
Of course, as with any project of this nature, it’s not enough to create a plan and document that plan in writing. You also need to periodically review the plan and test it (or aspects of it, as appropriate).
Conclusion
Need help putting a Business Continuity Plan in place? Give us a call. At CIO Professional Services this is one of our areas of expertise.
About Stephen McGrady
Stephen McGrady has served in technology vision and leadership roles, including Vice President of Services, Chief Information Officer (CIO) and General Manager, for over 20 years. Since 2006 he has focused on executive management consulting that enables business clients to improve performance through intelligent use of information technologies.
About CIO Professional Services
Based in the San Francisco Bay area, CIO Professional Services LLC is a top-rated Information Technology (IT) consulting firm focused on integrating Business and Information Technology. Our consultants are all hands-on executives who are veteran CIOs and Partners of Big 4 consulting firms. Companies come to us seeking assistance with their information technology strategy as well as for interim or fractional CIO / CTOs, and negotiation and program management/project rescue assistance.
